timezone setting based on forwarder naming convent...

joesrepsolc · ‎10-10-2019

I'm sure Splunk'rs have ran across this already, so here's my issue.

We have server naming conventions with "D" for DEV, "T" for TEST and "P" for PROD (in the same position of the server name). They reside in different data centers which are in different timezones. How do I set my props.conf to adjust the TZ value based on the naming convention of the host? The log sourcetypes are the same, going to the same index, but I need to adjust the TZ forward/back as these are in different data centers.

Is this setting made with REGEX in the inputs.conf of the app? Or is this done in the props.conf? Confused on exactly where/how to do this.

Thanks in advance!

woodcock · ‎10-13-2019

You just do this in props.conf:

[host:.{number=character count preceding D, T, or P}D.*]
TZ=TZforDevHere
[host:.{number=character count preceding D, T, or P}T.*]
TZ=TZforTestHere
[host:.{number=character count preceding D, T, or P}P.*]
TZ=TZforProdHere

timezone setting based on forwarder naming convention?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Automating Threat Operations and Threat Hunting with Recorded Future

Keep the Learning Going with the New Best of .conf Hub

Splunk Community Badges!

Join the Conversation